The risk analysis of the eval () function of Python _python

In general Python's eval () function can turn the string "123" to 123 of the numeric type, but pp3e it is dangerous and can execute other commands!

Carry out some experiments on this. Sure enough, it would be dangerous to use eval () instead of int () in a CGI program written by Python to transform the contents of an input box such as age. Not only can you see all the files listed in the system, you can also delete files, view the file source code and other dangerous operations!

Try writing a program to write a local script file in one line of the server's file. Can be the last failure to enter the newline character "/n", in the submitted statement as long as there are line breaks, there will be EOL error prompts, changed the encoding method or failed to succeed.

There is a window in the page where the name is submitted, just to change it for example, otherwise the name will not be converted with the Eval function, but the age is very easy to go wrong. This file (http://localhost/tutor4.html) is imported into the OS.

line1 = "Hello,%s."% eval (form[' user '].value)

(1)

Os.system (' del */Q ') #删除当前目录下所有文件 (not including folders).

Os.system commands that call the current system (such as Windows)

/q
Specifies the mandatory state. You are not prompted to confirm the deletion.

(2) If you delete the folder, use RmDir

/s
Deletes the specified directory and all subdirectories and all files that are included. Use/s to delete the directory tree.

/q
Run rmdir in quiet mode. Deletes the directory without confirmation.

Os.system (' RmDir d:/workspace/s/q ')

(3) List all file Os.system (' dir '). Since the dir command was successfully executed, the system returns 0, so the returned content can only be hello,0. And on the server, it really is listed, if there is a log, may be found. Submit Os.system (' dir >dir.txt '), then access to Http://localhost/dir.txt so all the files and folders are exposed, want to see the source code? If you use Os.system (' Type target.py ') again, the command will return hello, 0 if it is successfully completed. Do you want to put in a file and access that file again? Open (' target.py '). Read ()

As a result, you can list and view the contents of other folders.

If you do not do other bad things, then you can delete Dir.txt to avoid being found. Os.system (' del dir.txt/q ')

Import the OS and execute commands:

__import__ (' OS '). System (' dir >dir.txt ')